On Fri, 18 Mar 2005, David MacQuigg wrote:
This is probably a naive question, but please understand, I'm an electrical
engineer, not a DNS expert. My knowledge of DNS is from Chapter 14 in TCP/IP
Illustrated, W.R.Stevens.
As I understand it, DNS provides a "recursive query" capability whereby one
query to a domain like rr.com will provide an authoritative answer for any
subdomain under rr.com. Even if the DNS server at rr.com doesn't have the
complete DNS records for all its subdomains, they will most likely be in a
local cache, since there will be frequent queries to rr.com for this
information.
Seems like we should *require* that SPF queries set the RD bit (recursion
desired), and expect that any domain with as complex a setup as rr.com set
the RA bit (recursion available). Then DNS will do the recursion (not some
SPF checking program), and each subdomain will have its own very simple SPF
record.
Your understanding is very much incorrect (and I would recommend reading
specific book on DNS rather then general one on TCP/IP if you want to
understand DNS). When somebody is talking about DNS server providing
recursive capabilities what it means is that when you talk to a dns, that
server if it encounters a reference to another server (NS) will do query
itself and provide the answer to the client that asked - that is when RD
bit is set on request. When its not set or when dns server is not recursive,
then its up to the dns client to do proper dns lookup to the listed NS server.
DNS protocol being multi-tier tree can not support providing all subdomains
as that would be both a security risk and would lead to serious slow-down
in the lookup system.
---
William Leibzon, Elan Networks:
mailto: william(_at_)elan(_dot_)net
Anti-Spam and Email Security Research Worksite:
http://www.elan.net/~william/emailsecurity/